Hi,
On the other hand, we need to give people some guidance somehow...
Do we? Who is "we"? Why is "our" guidance any better than what they get
from their own experts, particularly if "our" guidance gets ossified in
an IANA registry or RFCs that are updated slowly?
Instead of listing QR-secure (or insecure) symmetric algorithms
it's probably better to give some generic advice of selecting
symmetric crypto in presense of Quantum Computers.
For example (I stole the text from
http://www.pqcrypto.eu.org/docs/initial-recommendations.pdf):
Symmetric systems are usually not affected by Shor's algorithm, but they are
affected by
Grover's algorithm. Under Grover's attack, the best security a key of length n
can offer is
2^(n/2), so AES-128 offers only 2^64 post-quantum security. This document recommends
using algorithms with 256-bit keys to achieve 2^128 post-quantum security.
There's no known Quantum attack against either (assuming long keys),
and so they're in the same category as AES-256.
That would be better stated as "There's currently no known..."
Exactly.
--Paul Hoffman
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
